Google proposes new DNS protocol extension

An interesting proposal was announced on the official Google Code Blog this week. In a lengthy draft, a group of DNS and content providers (including Google) outline the concept of extending the DNS protocol to include part of a user's IP address. DNS works by translating friendly domain names to a numeric address.

Currently, the address of a user's ISP or a third party resolver is used. Utilizing the individual's IP address will send the request to a nearby server, reducing latency and creating a better experience for the customer. This is especially important to those using a large DNS resolver, as servers several countries away could be processing the request.

According to Google, the proposed DNS protocol would only send the first three octets (top 24 bits) of an IP address to determine the location, yet protect the privacy, of the user. Skeptics, on the other hand, question the motives surrounding the protocol. Is this just another way for companies to monitor what customers are doing on the internet? We should know within a few months if the proposal is accepted as a new internet standard.

Below is an excerpt of the draft. The entire proposal can be viewed on The Internet Engineering Task Force website.

"Authoritative Nameservers of most major web sites today return different replies based on the perceived vicinity of the user to a particular location and knowledge of available resources.  This significantly reduces the overall latency of connections established by the end user and optimizes network resource usage.

To find the best reply for a given query, most nameservers use the IP address of the incoming query to attempt to establish the location of the end user.

Most users today, however, do not query the Authoritative Nameserver directly.  Instead, queries are relayed by Recursive Resolvers operated by their ISP or third parties.

When the Recursive Resolver does not use an IP address that appears to be topologically close to the end user, the results returned by those Authoritative Nameservers will be at best sub-optimal.

This draft proposes a DNS protocol extension to enable Authoritative Nameservers to return answers based on the network address of the actual client, by allowing Recursive Resolvers to include it in queries."

Report a problem with article
Previous Story

Google Tablet on the way?

Next Story

iPad's iBooks to be US only

29 Comments

Commenting is disabled on this article.

This makes sense, anyone with a clue will understand that DNS Services (like OpenDNS, GoogleDNS etc) have issues with services which rely on geo-location via the DNS Server's querying IP Address.

For instance, as a result of this things like CDN's do not end up with content being served from the closest network to the end user. Having the ability for the DNS Server to "inform" the authoritative nameserver for that service will result in content being served from the correct/proper locations. Also note that this can have an impact on ISP's networks as well (which is slightly off topic but related) - as a result of say, GoogleDNS sending me to a US Server for a CDN my ISP is unlikely to peer with that US Network. However odd's are they peer with the CDN in the UK or EU... thus it costs them less. Like I said, slightly off topic but relevant as it's money that can drive these changes and if it's going to save Networks/ISP's money in transit costs I don't see the problem with any of this.

It's not like it's hard to track what your doing online anyway.

Most likely google already has your home address and can track all your information. However the nice part about this new protocol is not only will it allow faster queries but it will make it harder for isp's to track you. And seeing as isp's like to jump in everyones beds I am much more worried about them tracking me.

LiquidMeson said,
Most likely google already has your home address and can track all your information. However the nice part about this new protocol is not only will it allow faster queries but it will make it harder for isp's to track you. And seeing as isp's like to jump in everyones beds I am much more worried about them tracking me.

+1! This is completely correct. I already use the Google Public DNS they have out.

LiquidMeson said,
And seeing as isp's like to jump in everyones beds I am much more worried about them tracking me.

Pretty much all UK ISP's monitor/track their users browsing, either through DNS or other means as there is a "blacklist" of sites/url's that are deemed highly inappropriate (I'm sure you can work out the sort of highly disgusting content I'm talking about). They don't even see the list, only the people who "monitor" the internet know what's on it and what's blocked. Search for something called the "Internet Watch Foundation" in the UK and you'll find the information about the company that provides that list. It's up to the ISP how they implement it though.

Now, you think you need tinfoil hats for Google? Try your own ISP for measure first.

Oh and if that little fact doesn't scare you more than Google, how about the fact that IWF is co-funded by the EU Gov's... Who would you trust more with your browsing habits... hummm.... I know who I would trust myself.

(Maybe I wandered slightly OT there but I think it's relevant)

p.s. I'm not saying I disagree with the IWF's work, but I'm using it as an example as to how naive it is to think your ISP doesn't monitor your habits more than someone like Google does.

Edited by fiber0ptic, Jan 31 2010, 10:43pm :

Now I see why Jobs says Google is Evil. Internet privacy will go down due to Schmidt and his politics as CEO. This is about taking control and power, just look behind all this China problem. It was all made up to do this kind of things. False flag is coming.

I don't understand the point of this move. Perhaps I don't understand this News at all. Is Google trying to use this to leverage their point of legal justification purposes? I mean, when you connect to their server to search for information, the IP is already connected to their database. They have ads that is catering to localize subsidiaries. Their ads and the search results are localized to your area. Every time someone connects to Google, your IP is already being processed accordingly. Are they trying to use this strategy for a new type of service that they are going to offer to the consumer? This is puzzling. This news isn't offering some clarification at all.

What's there to understand? Google just want to spy on you through their DNS services (if you use them) even more, by knowing more info about you.

Krome said,
I don't understand the point of this move. Perhaps I don't understand this News at all. Is Google trying to use this to leverage their point of legal justification purposes? I mean, when you connect to their server to search for information, the IP is already connected to their database. They have ads that is catering to localize subsidiaries. Their ads and the search results are localized to your area. Every time someone connects to Google, your IP is already being processed accordingly. Are they trying to use this strategy for a new type of service that they are going to offer to the consumer? This is puzzling. This news isn't offering some clarification at all.

Currently google is able to target their advertisements based on search history and cookies left by other websites, there is a huge void left by websites that do not leave relevant data on the host machine.

Should this proposal be adopted google will be in a position to track, monitor, and trend data for nearly every site you visit. It is like spyware in the cloud.

Pupik said,
What's there to understand? Google just want to spy on you through their DNS services (if you use them) even more, by knowing more info about you.

Mmm more FUD.

I don't really suspect nefarious intentions here, but it's worth pointing out that there are only 4 octets in an IP address, so sending 'only the first three' narrows you down to at most 1 in 256 users.

I suppose it could be 22 bits instead of 24 just as easily. Would 1 in 1,024 be anonymous enough? probably not for everyone.

eAi said,
I don't really suspect nefarious intentions here, but it's worth pointing out that there are only 4 octets in an IP address, so sending 'only the first three' narrows you down to at most 1 in 256 users.

Does it matter from a privacy perspective? If you're querying google.com, then 99% of the time, you're going to actually hit a google.com URL in the next 100ms. Then they have your complete IP address. What use is the quasi-anonymous subnet in the DNS query?

shhac said,
..wouldn't IPv6 make this pointless?

Yea but adopting IPv6 is a hard transition. We won't have IPv6 for at least a few more years.

y2kboy23 said,

Yea but adopting IPv6 is a hard transition. We won't have IPv6 for at least a few more years.

Lets hope its before September 2011! (http://en.wikipedia.org/wiki/IP_address_starvation#Exhaustion_date)

y2kboy23 said,

Yea but adopting IPv6 is a hard transition. We won't have IPv6 for at least a few more years.

We said that in 2003 when I got Cisco Certified, and it hasn't progressed much since then. Fact of the matter is as long as private IP addressing and NAT are around, nobody cares.

I don't like this not because of the privacy issues, but because it removes the important reason to use one of these CACHING resolvers.

When your DNS server queries the server it SHOULD provide it either a cached entry (Which is why these third party resolvers can be useful, a massive query cache.) or do the lookup.

However, with what this article is describing, the server would ALWAYS look up a new record EVERY time as the client's IP won't ever be the same therefor INCREASING DNS traffic and load on the servers.

Poof said,
I don't like this not because of the privacy issues, but because it removes the important reason to use one of these CACHING resolvers.

if you read the article "When a Recursive Resolver receives a reply containing an
edns-client-ip option, it will return a reply to the client and cache
the result as usual."

LiquidMeson said,
if you read the article "When a Recursive Resolver receives a reply containing an edns-client-ip option, it will return a reply to the client and cache the result as usual."

Yes, but this also goes against the reason for having this. They'd have to either set up a system to do this:

1. Cache the local result for -ALL- other customer replies
2. Cache the local result for ONLY replies in that /24 (1.2.3.X)
3. Cache the local result, run it against its own GeoIP cache and return cached results based on specific similar geolocations.

Either way, unless the cache is being being hit by ONE IP or simply one /24 subnet constantly, the caching will be useless as it's a 255 user cache, not a global cache.

Further, if it's the first option I mentioned, it would make the entire feature useless as it'd only matter who the FIRST client was that got that result. So, a person from Australia hits it, DNS caches the Australia results then people from say... The US now get those results until the cache expires.

Poof said,

2. Cache the local result for ONLY replies in that /24 (1.2.3.X)

Or make use of the BGP Tables they have and cache for the entire /18,/17,/16 etc that the ISP has that IP address in. That way your not making use of the smallest announcement that you should see in the BGP table and your also serving good results to the users. Why would you want to limit it to a /24 anyway? Your caching DB would end up getting insanely large.

Hell if you want to get really fancy you could cache based on the ASN (though that wouldn't be without problems either, in that some ISP's use the same ASN in more than one country - but it's better than /24 caching and not doing this sort of thing).

Caching the /18 or whatever is the aggregate will also get around the privacy comments as it'll be tied to one ISP/Country rather than all the way down to a city.

Edited by fiber0ptic, Jan 31 2010, 10:14pm : Adding a point